A Security Analysis of Cheap Smartwatches Concludes: If You Are Using One, Probably Don't

Pseudonymous security researcher and developer "xssfox" has found out exactly where the corners are being cut in cheap smartwatches: security, with one particular family of devices happily giving up all its secrets — including health data — to anyone who asks.

"If you are using a cheap smart watch, probably don't," xssfox explains of her research into such devices. "As with most complicated things in my life, it started with a simple question: do you know how to get the data off this [Ryze-brand] watch? Investigating the Ryze Android app I quickly discovered that this is a white label of an IDO smart watch. It got me thinking: could I pick up one of these watches for a lot cheaper to play with."

While Ryze charges around AU$250 (around $160) for its watches, devices based on the same hardware are available as low as AU$39 (around $25) — a figure much more conducive to potentially-destructive testing. With one such device on-hand — "hilariously I paired my IDO watch with the Ryze app and it just worked fine," xssfox notes — investigation began into how to pull data from the watch without using the official apps.

"Once connected and authenticated the device presents a Bluetooth service at 0AF0 which provides several characteristics," xssfox explains. "The import ones to us are a subscription to 0AF7 — this is where data from the watch to the phone is sent while 0AF6 allows us to send commands. I built a really rough and dirty website for talking to my device and getting the health data off it."

"When I originally paired the device I scanned a QR Code on the watch," xssfox recalls. "Turns out this probably just had the MAC address on it or something because after several hours of getting device info and pulling activity data I realised that I had never performed any authentication step. Resetting the app and repairing also revealed that there's no pairing code. Nothing. The device isn't locked or secured once connected. Anyone can connect to the device at any time and start issuing commands."

That's a concern, xssfox concludes, as that data can be private indeed: anything connecting to the watch can pull down activity data, sleep tracking data, heart rate data, and even menstrual cycle data — and perform unauthorized firmware updates, all without authentication. "I don’t have GPS in my version of the watch but I bet you can access that as well," she notes. "Whatever you want you can get it — there’s no protection."

The full write-up is available on xssfox's website; source code is provided on GitHub under an unspecified license.